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. . . Abstract 
00 t 

Any secured system can be modeled as a capability-based access control system in which 
each user is given a set of secret keys of the resources he is granted access to. In some large 
systems with resource-constrained devices, such as sensor networks and RFID systems, the 

■ design is sensitive to memory or key storage cost. With a goal to minimize the maximum users' 
\ key storage, key compression based on key linking, that is, deriving one key from another 

without compromising security, is studied. A lower bound on key storage needed for a general 
0^ \ access structure with key derivation is derived. This bound demonstrates the theoretic limit of 

any systems which do not trade off security and can be treated as a negative result to provide 
ground for designs with security tradeoff. A concrete, provably secure key linking scheme based 

■ on pseudorandom functions is given. Using the key linking framework, a number of key pre- 
\ distribution schemes in the literature are analyzed. 
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I. Introduction 



frj . In any computer system offering security-related services, it is a basic necessity that its users 

have access to some private information to give them leverage over an adversary. These secret 
pieces of information are commonly known as (cryptographic) keys. The key is usually used as 
input to protocols or algorithms for identification, secrecy and authentication purposes. Nearly 
all such systems can be modeled as a capability-based access system in which each resource is 
assigned a secret key and a user granted with access right to the resource would be given its key. 
For example, in secure group communication [3], each conference group is assigned a conference 
key which is given to all users belonging to the group so that the communication of the group 
could be kept secret and message authentication can be achieved within the group. 

Ideally, the security requirement of a typical system (not limited to secure group communi- 
cation) is that all users outside a particular group or not granted access to a resource should 
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not be able to obtain or compute the key for it even by collusion. For instance, in secure group 
communication, it is necessary to ensure that all users outside a certain conference group (whose 
key is treated as a resource key) should not be able to derive the group key from their keys. 

In most cases, the storage needed at each user could be too large to be practical. For example, 
in a typical access control system, if a user has a high level of privilege, his device may need to 
store a considerable number of keys. Since the cost of the tamper-resistant storage for the keys 
increases linearly with the size of the key storage, it is thus worthwhile to study techniques to 
generate all these keys from a smaller seed or compress the key materials. There is a similar 
problem facing emerging applications like sensor networks and RFID tags. Despite the dropping 
cost of secure storage, key storage is still a big concern in these applications, involving low cost 
embedded devices which have to store a considerable amount of secret keys. Compressing key 
materials is essential to the scalability of such designs. 

To ensure correctness of the operation of all cryptographic algorithms, the key compression 
needs to be lossless. Besides, to protect a resource from unauthorized access by collusion of 
compromised users, the key compression should not leak information that can ease unauthorized 
access to any resource key not given to the compromised users. This paper studies techniques to 
create dependency between resource keys (to derive one key from another) so as to reduce the 
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storage requirement on each user device. In other words, we exploit the redundancy in privileged 
group memberships for key compression. The goal is to minimize the maximum of user key 
storage over all users. To link keys together, we need to consider the access memberships of all 
the resources in the system to avoid compromising the security of some resources^ We investigate 
the limit of this key derivation approach by deriving a bound on maximum compression achievable 
without compromising the security of any resource key. 

Due to their simplicity, existing work in the literature such as [10], [20], [7] only considers 
monotonic access structures. Whereas, this paper considers a much more general access structure 
without posing any restrictions on what properties it must have. The results of this paper are 
general enough to cover most practical application scenarios. Note also that the applicability of the 
model we use is not limited to symmetric or shared key systems. For asymmetric key systems, the 
model depicts the possession of private keys and the resources represent all algorithms requiring 
a private key input. For instance, a resource could represent the decryption algorithm of a certain 
public key cryptosystem and its keys represent the required private keys to achieve a successful 
decryption of a certain ciphertext encrypted using the corresponding public key. The access 
control model we consider in this paper could cover a wide range of actual systems, including 
those not designed for access control purposes. 

The contribution of this paper is three-fold. First, we derive the lower bound on key storage 
needed for a general access structure if key dependency is created between keys held by a user. 
This lower bound corresponds to the theoretical limit on maximum key compression achievable in 
an ideal access structure without key compromise. We also show that this bound is tight by giving 
some concrete examples in sensor network key pre-distribution, which are either bound-achieving 
or close to this bound. Second, we give a practical, provably secure key linking scheme (for a 
general access structure) based on pseudorandom functions (PRF). We also provide a reduction 
proof of security for this construction. Third, we demonstrate how to apply the key linking 
framework to reduce key storage in pairwise key pre-distribution schemes for sensor networks. 
We have to emphasize that, unlike the existing schemes with key re-use such as [14], [6], the 
resulting key storage reduction does not come with a price of lowering the resilience or security 
against compromised nodesH The only trade-off is lowering the security guarantee from the 
information-theoretic sense to the computational-complexity-theoretic sense (due to the use of 
pseudorandom functions), which in essence makes no difference in practice. 

In the next section, we present the definitions of access structures. In Sections [III] and |VJ 
we present the key storage lower bound and the key linking construction based on pseudo- 
random functions respectively. Then we consider applying the key linking framework to key 
pre-distribution for sensor networks in Section [Vl] Finally, we have some discussions in Section 
IVIII and conclude in Section IVIIIj 

II. Access Structure 

We use an access control system to model a security system; a fairly wide range of applications 
can be covered by this model. The access structure of a typical system depicts the relations 
between users and keys/resources. A graphical presentation is shown in Figure [TJ 

Suppose U = {mi, U2, . . . , u n } is the set of users and 1Z = {r\,r2, ■ ■ ■ , r m } the set of resources 
in a system. Let 2 U be the set of all subsets of U and denote the set of all possible secret keys 

'The access membership of a resource is the subset of legitimate users granted access right to it. 

2 In nearly all of the existing key pre-distribution schemes for sensor networks, in order to lower the key storage 
requirement, the same key is used for links between several pairs of nodes. So when a key is exposed to an adversary 
due to a compromised node, all these links will be compromised instead of one, thus lowering the resilience of the 
network against compromised nodes. 
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Fig. 1. A Typical Access Structure Graph 

by /C. Each resource rj G TZ is associated with a key kj G K, and an ordered pair (Pj,Fj) with 
Pj C W and Fj C 2 W ; Pj is the subset of privileged users granted access to rj whereas each 
element in Fj corresponds to a forbidden subset of users which should not be able to access rj 
even if all of them collude. Then the access structure of a system has the following definition. 

Definition 1. The access structure T of a security system (U, 1Z, /C) is the following set of 
4-tuples: {(rj, kj,Pj,Fj) : rj G TZ, kj G /C, Pj C U, Fj c 2 U }. 

In the definition of an access structure, a system is not required to guard against all illegitimate 
users outside the privileged group of a resource from accessing it. In practical scenarios, usually, 
only a bounded number of illegitimate users in collusion could be excluded; there is a tradeoff 
of security for storage. However, this paper considers an ideal access structure which is the most 
desired setting as raised by Naor et. al. [18] in the context of broadcast encryption. An access 
structure is ideal if all the illegitimate users to any resource in the system are excluded from 
accessing it. 

Definition 2. An access structure T = {(rj,kj,Pj,Fj)} for a security system (U,7Z,1C) is ideal 
if U\Pj G Fj, Vr, G TZ. 

In a security system, the access structure is associated with a key assignment scheme. The set 
of keys held by a user may not be exactly the same as that of the resources he could access, but 
should allow him to compute all the resource keys he needs. An access structure graph, whose 
definition is given below, incorporates a key assignment to an access structure. 

Definition 3. Given a set of users U = {u\,U2, ■ ■ ■ , u n }, a set of resources TZ = {n, r2, . . . , r m } 
and a set of keys AC, an access structure graph Q for the system is a bipartite graph with vertex 
set V(Q) = U UlZ and edge set E(Q) CU x TZ, and the following properties hold: 

• (ui,rj) G E(Q) if and only if Ui can access rj. 

• Each resource vertex rj is associated with a privileged user subset Pj C U such that (u{ ,rj) G 
E(Q) if and only if m G Pj. 

• Each resource vertex rj is associated with a key kj G IC. 

The associated key assignment of an access structure graph is said to be secure and sound 
if the following holds: a user Uj can compute the key kj if and only if (ui,rj) G E(Q) for all 
1 < j < m. Note that existing key pre-distribution schemes for sensor networks with key re-use 
[14], [6] do not satisfy this requirement of security and soundness. 

III. A Key Storage Lower Bound with Key Dependency 

This section uses the access structure graph defined in Section [TT] to derive a lower bound on 
the key storage requirement if dependency is created between keys. 
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In an access structure graph, the degree of each user vertex U{ is the key storage requirement at 
Ui assuming the users store the resource keys directly and each key has the same length, whereas, 
the degree of each resource vertex rj is the number of privileged users who can access it, which 
is the same as \Pj\- Let the key storage at user Ui be di, the goal is to minimize max Uig ^{<ij}. 

Usually the resource keys should be picked independently at random to ensure security. 
However, for some users, storing multiple keys may be redundant. For instance, if a privileged 
group Pi is the subset of another say Pi, that is, Pi C P2, then it is redundant for a user in Pi 
to store &2 (the key for P2) in addition to k\ (the key for P). If k% can be derived from k\, 
then the storage at each m 6 Pi would be reduced by one ke>Q equivalent to removing the edge 
(uj,r2) from Q and adding a new edge between t\ and (the key dependency). Note that the 
resulting graph is no longer bipartite. 

Given two keys kj and k'- for privileged subsets Pj and Pj, if kj is derived from kj, all users 
in Pj would have access to k'-. As a result, to ensure that the key linking does not compromise 
security, it is necessary to make sure that P/\Pj = 4> (the empty set). In other words, Pj C Pj 
if Pj 7^ Pj. Otherwise, a user not in Pj (but in Pj) would have access to kj. Subject to this 
constraint, the best achievable key storage reduction is given by the following theorem. 

Theorem 1: If dependency is created between keys while maintaining the ideal access structure 
and security of a system, depending on the access structure, the best achievable maximum storage 
at each user is at least \— 1 where n is the total number of users and m is the total number of 
resources with distinct access membership. 

Proof. To maintain the security and access structure, a key kj can be derived from another key 
kj only if Pj C Pj and the users in Pj\Pj need to store kj while users in Pj can generate kj 
from kj. 

If a key kj can be generated from kj, then \Pj\Pj\ > 1 since Pj C Pj (Note that the m 
resources have distinct access membership). That is, at least one user in Pj needs to store kj. In 
other words, after key linking, each resource vertex in the access structure graph should have at 
least one edge coming from the set of user vertices. If we denote the number of edges coming 
from a user vertex to tj by yj > 1 and the degree of a user U{ by X{, then 

n m m 

i=i j=i j=i 

In the best case, the degrees of any two users m and should not differ by more than 1. Hence, 
the maximum user degree max u . g ^ deg(ui) > [~^~|. ■ 

The result of Theorem Q] does not assume any concrete construction for creating the key 
dependency. It is rather general, discussing whether a particular key could be derived from another 
while maintaining security and what the best achievable key storage reduction would be. In 
the best scenario, a - reduction factor could be achieved by eliminating all redundancy in the 
privileged group memberships of a system. The lower bound in Theorem Q] is also tight as can 
be seen from the example below. 

Shown in Figure |2] is an example for the complete secure group communication with 4 users. 
Originally, each user has to store 2 4_1 — 1 = 7 keys. Note that m = 11 and n = 4, and hence 
[^1 = 3. After key linking^, the maximum number of keys of a user is 4 > 3. 

3 Such a derivation is possible if k2 would not leak out information about fci practically. We show in the next section 
how such a derviation can be instantiated by a pseudorandom function. 

4 Note that two fictitious nodes are added to achieve a lower storage; the lower bound stated in Theorem Q] holds 
here because the only effect of adding these fictitious nodes is that two resource nodes are added to the original access 
structure graph, which in essence increases the value of m. 
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Fig. 3. An Example Access Structure Graph that Key Linking cannot lead to a Reduction on the Maximum Key 
Storage per User 



Clearly, as long as there exist resource nodes (in the access structure graph) sharing a non- 
empty intersection between their access membership sets, key linking could always be possible 
between them, resulting in storage reduction at some users. However, it is not necessarily true that 
max u . e ^{(ij}, the maximum of the key storage per user (over all users), can always be reduced. 
We may achieve storage reduction at all users but the one with maximum storage particularly 
when the access structure graph is very irregular. For instance, shown in Figure [3] is a case 
where key linking cannot lead to a reduction on the maximum of key storage per user (which 
is originally 3); no matter how key dependency is created, the maximum key storage per user is 
still 3 while the lower bound should be |~|] = 1. Whether the lower bound on the maximum key 
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storage per user (as stated in Theorem [TJ) can be achieved and whether key linking can reduce the 
maximum key storage per user depends on the access structure. Loosely speaking, if the access 
structure graph is dense, it is likely that a reduction on the maximum key storage per user can 
be achieved through key linking; if the degrees of user nodes are regular (that is, each user has 
access to roughly the same number of resources), and the sequence of the degrees of the resource 
nodes (in ascending order) does not have a sharp difference between two consecutive elements 
(that is, there does not exist a resource node having a considerably larger access membership 
set than others), key linking is most effective with the resulting maximum key storage per user 
closest to the lower bound. 

A general key linking algorithm is designed (given in the next section) to run experiments on 
different access structure graphs. The results actually agree with the above observations. 

IV. An Algorithm to find a Key Linking Pattern 

Depicted below is a general algorithm for finding a key linking pattern for any given access 
structure graph. This algorithm converts an access structure graph into one with key linking. It 
runs as follows: 



An algorithm to find a key linking pattern. 



Input: an access structure graph 

Output: an access structure graph with key linking 

1) Sort the resource nodes according to the size of their privileged groups and 
assign an index (0,1,2, ) to each node accordingly. 

2) Pick the node with largest index to start with and set it as the current node. 

3) From current node, pick a node with the next smaller index and set its 
index as the find-pointer. 

4) Check if the node at find-pointer is a subset of the current node. 

a) If yes, mark a link at the find-pointer node to the current node and 
go to step 5. 

b) If no, decrease the find-pointer by 1 and repeat step 4 if the find- 
pointer is greater than zero, otherwise, go to step 5. 

5) Decrease the current node index by 1. 

6) Repeat 3-5 until the current node index is 0. 



V. A Key Derivation Scheme based on Pseudorandom Functions 

In order to generate a key k' from another key k, we could consider A; as a seed to some pseu- 
dorandom generator g which outputs fc'H The requirement of a suitable generator is that, without 
the knowledge of the seed k, to any computationally efficient algorithm (i.e. polynomial-time), the 
output of g is indistinguishable from any random number picked uniformly from the key space. 
This would ensure that the view to anyone (computationally bounded and without the knowledge 
of the seed) is almost identical to that without key linking, thus guaranteeing that nobody 
could learn any information about the seed key from the generated keys. This computational 
indistinguishability requirement is essential to ensuring the security of the whole system. The 

5 The output space of g should be the same as the key space. 
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explanation is as follows: Note that the resulting keys from the generator is to be used as an input 
key to a certain cryptographic algorithm or protocol whose security guarantee is usually based 
on the assumption that the input key is uniformly picked from the key space. In fact, it can be 
shown that, if the distribution of the key generator output is computationally indistinguishable^ 
from a uniform distribution over the key space, the security guarantee of cryptographic primitives 
like encryption and message authentication codes holds. 

Although one-way functions or pre-image resistant hash functions have a long history of being 
used for linking messages in message authentication [5], [16], it should be noted that the direct 
application of a one-way function as the key generator is not sufficient to achieve the goal of 
key secrecy herej^ A more careful composition of one-way functions is needed for linking keys 
together, namely, a pseudorandom function (PRF) whose definition is as follows. 

Definition 4. Let / : {0, 1} 1b x {0, l}' 1 —> {0, 1}'° be a function which takes a seed key s & 
{0, l} ls and an input string x € {0, l} 1 ' and outputs another string y G {0, (i.e. y = f s (x)). 
f s (-) is is said to be taken from a pseudorandom function ensembld_| with index s if it satisfies that, 
with s uniformly picked from {0, 1}' S and kept secret, all computationally efficient algorithms 
A given a set Z = {(x r , y 1 ) : y' = f s (x')} of evaluations of f s at x' G X of his choice could tell 
whether a given y is the output of f s (-) on input x X or randomly picked form {0, 1}'° with 
a negligible advantage in l s for all x, where the advantage of an algorithm A for a given x is 
defined as follows: 

| Pr[s^ {0, 1} 1 - ;y = f s ( X ): A(Z, x, y) = 1] - Pr[y <- {0, 1}'° : A(Z, x,y) = l] \. 

Suppose / is a PRF. To generate a key k' for a resource (or privileged group) with label r' 
from another key k for a resource with label r, we could consider the concatenation of the labels 
r\\r' as an input string to / and generate k' as k' = fk{r\\r'). In the next section, privileged 
group identities in a sensor network are used as resource labels. The property of / ensures that 
nobody (computationally bounded), without the knowledge of k, would be able to distinguish 
k 1 from a key directly picked from the key space with a non-negligible advantage. This also 
guarantees that nobody could extract k from k'. If there is a PPT algorithm A which can extract 
k from k', then it could be used to tell whether a given k' is generated form / or randomly 
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picked as follows: run A on k' to extract k and check if k! = fk(r\\r'); kl is a generated from 
/ if and only if k' = fk{r\\r'); otherwise, flip a coin to make a random/wild guess. Hence, the 
key extraction problem is at least as difficult as solving the decisional problem non-negligibly 
better than a wild guess. Conjectured pseudorandom functions which are efficient for the purpose 
here include AES-OMAC [2] and SHA-HMAC [15]. For example, if h(-) denotes the HMAC 
function, f\{x) can simply be implemented as h(k\\x) where k\\x denotes the concatenation of 
the secret key k and the public input x. 

It is natural to worry about whether such indistinguishability preserves if / is used to generate 
a series of keys, that is, whether k t is still computationally indistinguishable from a random 

6 Two probability distributions are said to be computationally indistinguishable when no polynomial-time distin- 
guishing procedure can tell them apart. In other words, given a sample which could be picked from either of the two 
distributions, no sufficiently efficient algorithm can tell whether the sample is from the first distribution or the second. 

7 Recall that a one-way function is one which is easy to evaluate in one direction but hard in the reverse. In some 
implementation, the output of a one-way function may leak a significant fraction of the input bits. For example, 
suppose / : {0, 1}' — > {0, 1}' is a one-way function leaking no input bit, we could construct another one-way 
function /' : {0, l} 2i -> {0, l} 2i in the following way: f' (xi\\x2) = a;i||/(a;2) where £1,22 G {0, 1}'. This is still 
a one-way function but leaks half of the input bits. Consequently, one might be able to distinguish between its output 
and a uniformly picked random number. 

8 We will call f s a pseudorandom function for the sake of simplicity despite the loss of rigor. 
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key if it is generated from k in the following series: k\ = /fc(r||ri); k% = /fc^nll^); • • •; 
h = fk t -i( r t-l\\ r t)- The following theorem would be useful in answering this question. 

Theorem 2: Suppose / : {0, 1}'" x {0, 1}* -» {0, l} lk is a PRF, k is uniformly picked from 
{0, l} lk , and kx = /fc(r||ri); k 2 = /fc 1 (Vi[|r 2 ); . • .; h = fk^An-lWt)- If t is polynomially many 
in Ik, then {k t } = Ui k (denoting the two distributions are computationally indistinguishable!) 
where {k t } is the distribution of kt and Ui k is the uniform distribution over {0, l} /fc . 

Proof. Suppose we look at the generation of ki from and assume that = Ui k 

with an indistinguishability coefficient ej_i (defined as the maximum indistinguishability ad- 
vantage achievable by any poly-time algorithm); that is, ej_i is negligible. We know that fej = 
/fc i _ 1 (rj-i | |rj) and wish to show that {fcj} = [7^. We use the standard hybrid argument with the 
hybrid distribution if? = {k[ : Sj <— {0, 1}'*; k[ = / Si (rj_i||rj)}. From the property of the PRF, 
if? = Ui k with an indistinguishability coefficient e/ (negligible). We argue that if? = {fej} by 
contradiction. Suppose there is a PPT algorithm A which can distinguish between K- and {ki} 
with a distinguishability advantage e?, then it can be used to distinguish between and Ui k . 

The construction is as follows: for a given s G {0, l} fc , compute = / s (rj_i||rj) and run 
„4 on k. If s G {ki-i}, then A; G {/ci}, whereas, if s G C/i fc , then k G if?. Thus this perfectly 
simulates the challenge of A in a real attack and could be used to distinguish between 
and Ui k (a contradiction to our assumption). Hence, e[ < 

Overall, {ki} = U\ h with an indistinguishability coefficient < e[ + e/ = ej_i + £/■ Note 
that when i = 1, ep = since ko = k G U\ h . Summing over i, we have e t < tef. Since ej is 
negligible in Z^, if t is polynomially many, then et remains negligible in This concludes the 
proof. ■ 

Since the security guarantee of a pseudorandom function is computationally complexity based, 
key linking based on a pseudorandom function is computationally secure. 

VI. Key Linking for Pairwise Key Pre-distribution in Sensor Networks 

In this section, we look at three examples of applying key linking to sensor network key pre- 
distribution (KPS). In a sensor network, each node is preloaded with a set of keys in its key ring 
in such a way that it can establish a pairwise key with another node in its physical neighborhood 
with reasonably high probability (mainly for mutual entity authentication); the model considered 
here is the same as that in [14], [6], [4], [12], [11]. In pairwise KPS, each privileged group 
consists of two users or nodes. We will ignore the repeated usage of keys, which trades off 
security for reduced key storage; but the discussion below should also apply to that case. 

A. A Graph-theoretic Representation of KPS for Sensor Networks 

When two sensor nodes share a common key, they can mutually authenticate each other. 
We can easily represent this keying or trust relationship in a graph; that is, the sensor nodes are 
represented as vertices and an edge exists between two vertices if the corresponding sensor nodes 
share a common key. This graph is called a keying relationship graph in the following discussion. 
Note that the keying relationship graph is a logical graph and does not reflect the actual network 
topology of the sensor network during deployment. We assume there are n sensors. 

'That is, no polynomial time algorithm can distinguish whether a given sample is from the former or latter 
distributions. 
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B. Key Linking for KPS in Sensor Networks 

a) Example 1 — KPS for sensor networks with one or multiple base stations [19]: In [19], 
the base station of a sensor network (with n nodes) has a master key which is used (with PRF) 
to derive different keys, with each one being shared between the base station and a different 
sensor node. That is, each sensor node and the base station only needs to store a single key. The 
keying relationship graph is simply a star with the base station at the centre. This is indeed a 
special instance of the access structure graph discussed in Section |II1 here, the number of users 
is (n + 1) (including the base station) and the number of resources is n. Applying Theorem [T] 
the maximum key storage in the best case is |~^pr] = 1. Hence, the design in [19] is indeed 
optimal in its context. By a similar token, we could apply Theorem [T] to cases with multiple base 
stations. 

b) Example 2 — KPS with perfect connectivity in the key relationship graph: Ideally, to 
ensure any pair of physical neighboring nodes in the deployed network to be able to find a shared 
key, each node needs to store (n — 1) keys (without key linking) if there are n nodes labeled 
from to (n — 1). That is, the keying relationship graph Q is a complete graph. This storage 
requirement is trivially impractical. Since there are (g) possible groups, if key linking is applied, 

the maximum key storage in the best case is [(o) A^l = [" :p^H = T 22 ^"! (Theorem [T|);the 
maximum possible reduction factor is \ (still not good enough). 

The implementation of the linking could be done as follows. Without loss of generality, assume 
n is odd. A user i needs to store one seed key ki and other derived keys {kji = fkjUWi) '■ 
j = (i — d) mod n,d € [1, ^^]} where kji is the pairwise key between node j (where j = 
(i — d) mod n,d € [1, ^^p]) and node i. For the pairwise key between node i and node j' (where 
j' = (i + d) mod n,d € [1, = fki{i\\j')- That is, for the nodes in front of node 

i, node i has to store the derived keys, whereas, for the nodes behind it, it can derive the 
pairwise key from fcj. As a result, the overall key storage per node is r± ^- + 1. 

c) Example 3 — KPS with bounded connectivity in the key relationship graph: In many 
cases, due to storage constraint, each node can only share a common key with another c nodes 
with c < n. That is, each vertex in the keying relationship graph has a bounded degree. Without 
loss of generality, assume c is even. 

The total number of edges of the resulting keying relationship graph Q' is ^ which is the 
total number of possible groups. If key linking is applied, the maximum key storage per node 
in the best case is [~rp] = [|~|; the maximum reduction factor is again i. In the best possible 
case, a node i would only need to store one key ki and | other derived keys kji. The problem of 
determining which half of the c pairwise keys are derived from ki and which half are obtained 
from other | nodes could be solved by finding an Eulerian tour over Q' . An Eulerian tour over 
a graph G is a tour along the edges of G so that each edge is passed exactly once. Such a tour 
exists in a graph G if G has at most two vertices with an odd degree; this is fulfilled for Q' 
in question. The Fleury's algorithm (shown in Appendix) with running time 0{\E(G)\) (where 
\E(G) | is the total number of edges in G) can be used for finding an Eulerian tour [8] and the 
set of edges of each vertex would be partitioned by the tour into two halves, one marked as 
incoming edges and the other as outgoing edges. Now we could derive all pairwise keys on an 
outgoing edge of node i using ki and set the keys of the incoming edges as kji derived from kj 
of another node j. 

Regarding the case with an odd number of edges in a connectivity graph, edges could be added 
to make the graph Eulerian. If there are vertices in a connectivity graph G with an odd number 
of edges, the total number of such vertices should be even0 We could simply partition such a 

10 The sum of the degrees of all vertices of a graph is even. If a vertex has an odd degree, then there must exist 
another vertex with an odd degree to make the total sum even. That is, vertices with an odd degree come in pairs. 
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subset of vertices into pairs and assign an edge to each pair, then the resulting graph is Eulerian. 

While a regular keying relationship graph is considered in this example, the result and technique 
apply to a more general keying relationship graph as long as one can partition the edges connecting 
each vertex into two parts. Reduction on maximum key storage could always be achieved. 

Recall that given any key of a node on a particular outgoing edge of the key relationship 
graph, it is computationally infeasible to find the keys on other outgoing edges of the node, thus 
guaranteeing the resilience of compromised nodes. Any collusion of compromised nodes would 
not threat the security of the remaining nodes since we have considered an ideal access structure 
and it is computationally hard for the collusion to find any key not originally held by them if a 
pseudorandom function is used. 

VII. Discussions 

While there is always reduction in the average storage whenever there is redundant membership, 
key linking may not lead to reduction on the maximum key storage per user in some access 
structure. Under the framework of constraints considered in this paper, it could be difficult to 
achieve reduction on the maximum storage in those cases. An analogy to this situation is when 
Huffman encoding for the equiprobable case. This sets the limits of any scheme if trading off 
security is not considered. If further reduction on the maximum key storage is necessary, trading 
off the ideal access structure is one possible solution and combinatorial techniques could apply as 
in [3], [1], [17], [13]. Alternatively, we could consider a set of keys as a long bit string (instead 
of a set of individual keys) and create the linking on a bit-by-bit basis using the technique of 
correlated pseudorandomness [9]; however, the gain also comes as a result of trading off security; 
now a non-privileged user may learn some of the bits of a resource key he is not supposed to 
whereas the key linking technique considered in this paper would not leak out information that 
can be efficiently extracted by a non-privileged user. 

VIII. Conclusion 

As applications involving low cost devices like sensor networks and RFID emerge, memory 
cost (for secure key storage) which is usually not a concern has become an essential constraint to 
designing security systems. To alleviate this, the key storage requirement could possibly reduced 
by creating dependency among secret keys stored in a user device, that is, key linking. Key 
linking exploits redundancy in privileged group memberships for key compression. 

We derive an upper bound for maximum achievable key compression in a system with ideal, 
general access structure. This bound is tight and can somehow be treated as a negative result, 
which demonstrates that without trading off security, considerable key storage reduction may 
not be achievable. We also show a provably secure instantiation of key linking scheme using 
pesudorandom functions. We show how to apply the key linking technique to reduce key storage 
in pairwise key pre-distribution in wireless sensor networks; the storage reduction is still not 
sufficient to give efficient schemes which again demonstrate the cost in efficiency loss we have 
to pay if no security tradeoff is considered. The results actually provide ground for proposals 
which trade off security for efficiency. 
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APPENDIX 

Fleury's Algorithm 

Fleury's algorithm constructs an Euler circuit in a graph (if it's possible). The algorithm runs 
as follows: 

1) Pick any vertex to start. 

2) From that vertex pick an edge to traverse, considering following rule: never cross a bridge 
of the reduced graph0 unless there is no other choice. 

3) Darken that edge, as a reminder that you can't traverse it again. 

4) Travel that edge, coming to the next vertex. 

5) Repeat Steps 2-4 until all edges have been traversed, and you are back at the starting vertex. 



"By "reduced graph" we mean the original graph minus the darkened (already used) edge. 



